Cyber Security and Resilience (Network and Information Systems) Bill (Third sitting)
David Chadwick ExcerptsThursday 5th February 2026
(1 day, 17 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Kanishka Narayan
On that important point, which the hon. Member for Bognor Regis and Littlehampton also raised, the changes to the definition came about in part through extensive engagement, and in particular by ensuring that the attributes of “elastic” and “scalable” were treated individually rather than jointly and that “shareable”—the ability to have multi-tenants and therefore be a genuine cloud computing service for multiple clients—was considered in scope. As I mentioned to the hon. Member for Bognor Regis and Littlehampton, it is important that we keep this under review, and part of the reason for the secondary powers in the Bill is to make sure it remains both specific, giving clarity and certainty, and flexible at the same time.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Currently, the law requires regulated persons to manage risks to the security of their systems. Amendment 28, tabled by the Liberal Democrats, explicitly inserts “risks arising from fraud” into that duty. It would make it clear that a system cannot be considered secure if it is easily exploited by scammers.
Fraud should be considered a national security issue, and there is clearly a relationship between fraud and cyber-security. Scammers across the world are targeting British citizens. Elderly fraud victims in Dyfed-Powys lose £7,900 a day to a tidal wave of scams perpetrated by scammers from many countries across the world, notably Nigeria. UK-wide, in the first half of 2025 alone, criminals stole over £600 million through scams. Surely, we cannot pass a cyber-security and resilience Bill—
The Chair
Order. I think the hon. Member is discussing the next group of amendments, to clause 8. At the moment, we are discussing amendment 13 to clause 7.
Dr Spencer
If I might just help a colleague, I think the grouping and selection of amendments has changed, so the hon. Member for Brecon, Radnor and Cwm Tawe may have the previous iteration.
The Chair
That is very helpful. Thank you.
Amendment 13 agreed to.
Clause 7, as amended, ordered to stand part of the Bill.
Clause 8
Duties of relevant digital service providers
David Chadwick
I beg to move amendment 25, in clause 8, page 7, line 31, at the end insert—
“(1A) In paragraph (1), after ‘risks’ insert ‘, including risks arising from fraud,’”.
This amendment would explicitly include fraud as one of the risks to the security of network and information systems relevant digital service providers must identify and manage.
The Chair
With this it will be convenient to discuss the following:
Amendment 28, in clause 8, page 8, line 4, at end insert—
“(4) After paragraph (2) insert—
‘(2A) When taking measures to manage risks under paragraph (1), a RDSP must, in the design of the relevant digital service—
(a) eliminate unnecessary functions from system requirements;
(b) where risks cannot be managed by the elimination of functions, replace or substitute features in the architecture of the system;
(c) where risks cannot be managed by the replacement or substitution of features, implement active functional controls;
(d) where risks cannot be managed by the implementation of active functional controls, instruct and implement operational and procedural controls;
(e) as a matter of last resort, apply requirements, conditions of use or instructions to service users.
(2B) For the purposes of paragraph (1), “risks” include those relating to the availability, reliability, safety, integrity, maintainability and confidentiality of the relevant services or systems.’”
Clause stand part.
David Chadwick
Surely, we cannot pass a cyber-security and resilience Bill that ignores a crime that affects thousands of people. We know that cyber-security criminals across the world attack individuals to enable themselves to get into systems. Families are losing life savings, and small businesses are shutting down because of this epidemic.
The Government often treat fraud as a policing issue, but the amendment would establish that it should be regarded as a cyber-security issue that needs action at the national security level. By amending regulation 12(1) of the NIS regulations, we place a legal duty on digital providers to identify these vulnerabilities proactively. If we mandate that providers manage fraud risks before an incident occurs, we will reduce the number of victims and the devastation caused to livelihoods. We cannot claim to protect our digital economy while ignoring the billions of pounds lost to scams.
Dr Spencer
Clause 8 provides a new definition of “relevant digital service” and makes it clear that this category includes online marketplaces, online search engines and cloud computing services. The definition of “relevant digital service provider” is updated to encompass all entities providing a relevant digital service in the UK, regardless of whether they are established here. Entities designated as critical suppliers are excluded from the definition to avoid duplication of duties and regulatory oversight from sector-specific competent authorities.
However, the definition excludes from scope of regulation relevant digital service providers subject to public authority oversight, unless they derive over half their income from commercial activities. The exclusion of organisations overseen by public authorities also applies in relation to relevant managed service providers.
In many respects, clauses 7 and 8 provide necessary updates to reflect the changing nature and use of vital digital services. Once again, including within the scope of regulation companies that deliver services to the UK but are established or headquartered elsewhere helps to ensure that those companies report cyber-security incidents to UK authorities, rather than just authorities in their home states. That means that UK regulators and law enforcement are equipped with the most comprehensive knowledge of emerging threats.
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
David Chadwick ExcerptsThursday 5th February 2026
(1 day, 17 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 5 February 2026 - (5 Feb 2026)
Dr Spencer
I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.
Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.
We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
The hon. Member is quite right to say that American companies have captured most of the market that he is talking about, particularly the cloud providers. What does he think is stopping British cloud providers from getting a larger share of the market?
Dr Spencer
The cloud providers I have spoken to talk about several things. They talk about the crippling cost of energy in the UK, something that we need to drive down—
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
David Chadwick ExcerptsTuesday 3rd February 2026
(3 days, 17 hours ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Dr Spencer
Q
Stuart Okin: We have a clear understanding of the responsibilities within Ofgem. We are the joint competent authority with the Department for Energy Security and Net Zero. The Department does the designation and instant handling, and we do all the rest of the operations, including monitoring, enforcement and inspections. We understand our remit with NCSC. GCHQ is part of the cyber-security incident response team; it is ultimately responsible there.
Going back to your main concern, we are part of an ecosystem. We have to understand where our lines are drawn, where NCSC’s responsibilities are and what the jobs are. To go back to us specifically, we can talk about engineering aspects, electrical engineering, gas engineering and the cyber elements that affect that, including technology resilience—not cyber. As long as we have clear gateways and communication between each other—and I think that the Bill provides those gateways—that will also assist, but there are clear lines of responsibilities.
Natalie Black: It is clear that there is work to do to get in the same place for the Bill. Exactly as Stuart said, the information gateways will make a massive difference. It is too hard, at the moment, to share information between us and with the National Cyber Security Centre. The fact that companies will have to report within 24 hours not only to us but to the NCSC is very welcome.
To return to my earlier point, we think that there is a bit of work for DSIT to do to help to co-ordinate this quite complicated landscape, and I think that industry would really welcome that.
Ian Hulme: I agree with colleagues. From an ICO perspective, we see our responsibilities as a NIS competent authority as complementary to our role as a data protection regulator. If you want secure data, you have to have secure and resilient networks, which are obviously used to process data. We see it as a complementary set of regulations to our function as a data protection regulator.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Q
It strikes me that, if one of the things that this legislation is to guard against is pre-positioning, and there are 14 parallel reporting systems in place, it could be the case that those pre-positioning attacks are not picked up as co-ordinated attacks from another nation state or organisation, because they are not pulled together in time.
Natalie Black: I point to my earlier remarks about information sharing. You are right: that is one of the great benefits of the Bill. To be able to do more, particularly when it comes to pre-positioning attacks, is really important. You will have heard from the NCSC, among others, that that is certainly a threat that we are seeing more and more of.
At the moment, it is too difficult to share information between us. The requirement to have an annual report to the NCSC is a good mechanism for consolidating what we are all seeing, and then for the NCSC to play the role of drawing conclusions. It is worth emphasising that Ofcom is not an operational organisation; we are a regulator. We look to the NCSC to provide threat leadership for what is going on across the piece. I think that that answers your question about where it all comes together.
Stuart Okin: I fully support that. The NSCS will be the hub for that type of threat intel and communications, in terms of risks such as pre-positioning and other areas. The gateways will help us to communicate.
Ian Hulme: Bringing it back to the practicalities of instant reporting, you said that there are potentially 14 lines of incident reporting because there are 14 competent authorities. How that can be consolidated is something to be explored. Put yourself in a position of an organisation that is having to make a report: there needs to be clarity on where it has to make it to and what it needs to report.
David Chadwick
Q
Ian Hulme: As we have already explained, the current regs do not allow us to share the information, which is a bit of a barrier for us. In the future, certainly, we will be working together to try to figure it out. I think that there is also a role for DSIT in that.
Natalie Black: First, we currently have a real problem in that information sharing is much harder than it should be. The Bill makes a big difference in addressing that point, not only among ourselves but with DSIT and NCSC. Secondly, we think that there is an opportunity to improve information reporting, particularly incident reporting, and we would welcome working with DSIT and others—I have mentioned the Digital Regulation Cooperation Forum—to help us find a way to make it easier for industry, because the pace at which we need to move means that we want to ensure that there is no unnecessary rub in the system.
Emily Darlington (Milton Keynes Central) (Lab)
Q
Ian Hulme: We need to think about this as essentially two different regimes. The requirements under data protection legislation to report a data breach are well established, and we have teams, systems and processes that manage all that. There are some notable cases that have been in the public domain in recent months where we have levied fines against organisations for data breaches.
The first thing to realise is that we are still talking about only quite a small sub-sector—digital service providers, including cloud computing service providers, online marketplaces, search engines and, when they are eventually brought into scope, MSPs. A lot of MSPs will provide services for a lot of data controllers so, as I explained, if you have the resilience and security of information networks, that should help to make data more secure in the future.
Dr Spencer
Q
Secondly, on ransomware attacks, you will know that the Government review states that ransomware is
“the greatest of all serious and organised cybercrime threats”.
In your view, what is the scale of that threat and what sectors and businesses are the primary targets?
DCS Andrew Gould: To take the actors first, they are probably quite well known, in terms of the general groupings. Yes, we have our state actors—the traditional adversaries that we regularly talk about—and they generally offer very much a higher-end capability, as you will all be aware.
The next biggest threat group is organised crime groups. You see a real diversity of capability within that. You will see some that are highly capable, often from foreign jurisdictions—Russian jurisdictions or Russian-speaking. The malware developers are often the more sophisticated as service-type offerings. We see more and more ransomware and other crime types almost operating as franchises—“Here is the capability, off you go, give us a cut.” Then they have less control over how those capabilities are used, so we are seeing a real diversification of the threat, particularly when it comes to ransomware.
Then, where you have that proximity to state-directed, if not quite state-controlled—that crossover between some of those high-end crime groups and the state; I am thinking primarily of Russia—it is a lot harder to attribute the intent behind an attack. There is a blurring of who was it and for what purpose was it done, and there is that element of deniability because it is that one further step away.
Moving back down the levels of the organised crime groups, you have a real profusion of less capable actors within that space, from all around the world, driving huge volumes, often using quite sophisticated tools but not really understanding how they work.
What we have seen is almost like a fragmentation in the criminal marketplace. The barrier to criminal entry is probably lower than it has ever been. You can download these capabilities quite readily—you can watch a tutorial on YouTube or anywhere else on how to use them, and off you go, even if you do not necessarily understand the impact. We certainly saw a real shift post pandemic from traditional criminals and crime groups into more online crime, because it was easier and less risky.
You look more broadly at hacktivists, terrorists—who are probably a lot less capable; they might have the intent but not so much the capability—and then the group that are sometimes slightly patronisingly described as script kiddies. These are young individuals with a real interest in developing their skills. They have an understanding that what they are doing is wrong, but they are probably not financially or criminally motivated. If they were not engaging in that kind of cyber-crime, they probably would not be engaging in other forms of criminality, but they can still do a lot of damage with the tools they can get their hands on, given that so many organisations seem to struggle to deliver even a basic level of cyber-resilience and cyber-security.
One of the things that we really noticed changing over the last 18 months is the diversification of UK threats. Your traditional UK cyber-criminal, if there is such a thing, is primarily focused on hacking for personal benefit, ransomware and other activity. Now we are seeing a diversification, and more of a hybrid, cross-organised crime threat. There are often two factors to that. We often hear it described in the media or by us within law enforcement publicly as the common threat—this emerging community online—otherwise known as Scattered Spider.
There, we are seeing two elements to those sorts of groups. You see an element of maybe more traditional cyber-skills engaged in hacking or using those skills for fraud, but we also see those skills being used for Computer Misuse Act offences, in order to enable other offences. One of the big areas for that at the moment that we see is around intimate image abuse. We see more and more UK-based criminals hacking individuals’ devices to access, they hope, intimate images. They then identify the subject of those intimate images, most predominantly women, and then engage in acts of extortion, bullying or harassment. We have seen some instances of real-world contact away from that online contact.
Think of the scale of that and the challenge that presents to policing. I can think of cases in cyber-crime unit investigations across the country where you have got a handful of individuals who have victimised thousands of women in the UK and abroad. You have got these small cyber-crime units of a handful of people trying to manage 4,000 or 10,000 victims.
It is very difficult and very challenging, but the flipside of that is that, if they are UK-based, we have a much better chance of getting hold of them, so we are seeing a lot more arrests for those cross-hybrid threats, which is a positive. There is definitely an emerging cohort that then starts to blend in with threats like Southport and violence-fixated individuals. There seems to be a real mishmash of online threat coming together and then separating apart in a way that we have never seen historically. That is a real change in the UK threat that is driving a lot of policing activity.
Turning to your ransomware question, what is interesting, in terms of the kinds of organisations that are impacted by ransomware, a lot of the ransomware actors do not want to come to notice for hitting critical national infrastructure. They do not want to do the cloning of pipelines. They do not want to be taking out hospitals and the NHS. They know they will not get paid if they hit UK critical national infrastructure, for starters, so there is a disincentive, but they also do not want that level of Government or law enforcement attention.
Think of the disruptive effect that the UK NCA and policing had on LockBit the year before last. LockBit went from being the No. 1 ransomware strain globally to being out of the top 10 and struggling to come back. We saw a real fragmentation of the ransomware market post that. There is no dominant strain or group within that that has emerged to cover that. A lot of those groups that are coming into that space may be a bit less skilled, sophisticated and successful.
The overall threat to organisations is pretty much the same. The volume is the volume, but it is probably less CNI and more smaller organisations because they are more vulnerable and it is less likely to play out very publicly than if there is a big impact on the economy or critical national infrastructure. As such, there is probably not the level of impact in the areas that people would expect, notwithstanding some of the really high-profile incidents we had last year.
David Chadwick
Q
DCS Andrew Gould: That is a really good question. The international jurisdiction challenge for us is huge. We know that is where most of the volumes are driven from, and obviously we do not have the powers to just go over and get hold of the people we would necessarily want to. You will not be surprised to hear that it really varies between jurisdictions. Some are a lot more keen to address some of the threats emanating from their countries than others. More countries are starting to treat this as more of a priority, but it can take years to investigate an organised crime group or a network, and it takes them seconds to commit the crime. It is a huge challenge.
There are two things that we could do more of better—these are things that are in train already. If you think about the wealth of cyber-crime, online fraud and so on, all the data, and a lot of the skills and expertise to tackle that sit within the private sector, whereas in law enforcement, we have the law enforcement powers to take action to address some of it.
With a recent pilot in the City funded by the Home Office, we have started to move beyond our traditional private sector partnerships. We are working with key existing partners—blockchain analytic companies or open-source intelligence companies—and we are effectively in an openly commercial relationship; we are paying them to undertake operational activity on our behalf. We are saying, “Company a, b or c, we want you to identify UK-based cyber-criminals, online fraudsters, money-laundering and opportunities for crypto-seizure under the Proceeds of Crime Act 2002”. They have the global datasets and the bigger picture; we have only a small piece of the puzzle. By working with them jointly on operations, they might bring a number of targets for us, and we can then develop that into operational activity using some of the other tools and techniques that we have.
It is quite early days with that pilot, but the first investigation we did down in the south-east resulted in a seizure of about £40 million-worth of cryptocurrency. That is off a commercial contract that cost us a couple of hundred grand. There is potential for return on investment and impact as we scale it up. It is a capability that you can point at any area of online threat, not just cyber-crime and fraud, so there are some huge opportunities for it to really start to impact at scale.
One of the other things we do in a much more automated and technical way—again funded by the Home Office—is the replacement of the Action Fraud system with the new Report Fraud system. That will, over the next year or so, start to ingest a lot of private sector datasets from financial institutions, open-source intelligence companies and the like, so we will have a much broader understanding of all those threats and we will also be able to engage in takedowns and disruptions in an automated way at scale, working with a lot of the communication service providers, banks and others.
Instead of the traditional manual way we have always been doing a lot of that protection, we can, through partnerships, start doing it in a much more automated and effective way at scale. Over time, we will be able to design out and remove a lot of the volume you see impacting the UK public now. That is certainly the plan.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
DCS Andrew Gould: I love the fact that you have heard of it. One of the things that we struggle with is promoting a lot of these initiatives. Successive Governments actually deserve a lot of credit for the range of services that are provided. We aspire to be a global cyber-power, and in many ways we are. When you look at the range of services, tools, advice and guidance that organisations or the public can get, there is quite a positive story to tell there. I think we struggle to bring that into one single narrative and promote it, which is a real challenge. People just do not know that those services are there.
For those who are not familiar with Police CyberAlarm, it is a Home Office-funded policing tool focused on small and medium-sized organisations that probably do not have the skills or understanding to protect themselves as effectively. They can download that piece of software, and it will sit on their external networks and monitor for attacks. For the first time, it helps us in policing to build a domestic threat picture for small and medium-sized organisations, because everybody has a different piece of the puzzle. GCHQ has great insight into what is coming into the UK infrastructure, but it obviously cannot monitor domestically. Big organisations that provide cyber-security services and monitoring know what is impacting their clients or their organisation, but not everybody else. At policing, we get what is reported, which is a tiny piece of the puzzle. So everyone has a different bit of the jigsaw, and none of it fits together, and, even if it did, there would still be gaps. For SMEs, that is a particular gap.
For us, we get the threat intelligence to drive our operational activity, which has been quite successful for us. The benefit for member organisations—we are up to about 12,000 organisations at the moment, which are mostly schools, because we know that they are the most vulnerable to attack for a variety of reasons—is that, having the free tool available, it can do the monthly vulnerability scans and assessments. So they are getting a report from the police that tells them what they need to fix and what they need to patch.
We do not publicly offer a lifetime monitoring service, because we would not want the liability and responsibility, and we do not have the infrastructure to run that scale of security operation centre. But, in effect, that is actually what we have been doing for a long time—maybe not 24/7, but most of the time—because we have been able to identify precursor activity to ransomware attacks on schools or other organisations, and have been able to step in and prevent it from happening. There have been instances where officers have literally got in cars and gone on a blue light to organisations to say, “You need to shut some stuff off now, because you are about to lose control of your whole organisation.”
To that extent, it has been really impactful, but the challenge for us is how to scale. How do you scale so that people understand that it is there? How do you make it easier for organisations to install? That is one of the things that we are working on at the moment, so that everybody can benefit from the scans and the threat reporting, and we can benefit from a bigger understanding of what is going on.
The flip side of the SME offer from our point of view is our cyber-resilience centres. By working with some of the top student talent in the country, we can scale to offer our member organisations across the country the latest advice and guidance, help them understand what the NCSC advice and guidance is, and then help them to get the right level of security policies, patch their systems and all that kind of thing. It helps them to take the first steps on their cyber-resilience journey, and hopefully be more mature consumers of cyber-security industry services going forward. We are helping to create a market for growth, but also helping those organisations to understand their specific vulnerabilities and improve from a very base level.
Dr Spencer
Q
Richard Starnes: Yes. We have FS-ISAC operating in the United Kingdom and in Europe, with all the major banks, but if you took this and replicated it on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.
David Chadwick
Q
Richard Starnes: On what you say about the 18-month tenure, one of the problems is stress. A lot of CISOs are burning out and moving to companies that they consider to have boards that are more receptive to what they do for a living. Some companies get it. Some companies support the CISOs, and maybe have them reporting to a parallel to the CIO, or chief information officer. A big discussion among CISOs is that having a CISO reporting to a CIO is a conflict of interest. A CISO is essentially a governance position, so you wind up having to govern your boss, which I would submit is a bit of a challenge.
How do we help CISOs? First, with stringent application of regulatory instruments. We should also look at or discuss the idea of having C-level or board-level executives specifically liable for not doing proper risk governance of cyber-security—that is something that I think needs to be discussed. Section 172 of the Companies Act 2006 states that you must act in the best interests of your company. In this day and age, I would submit that not addressing cyber-risk is a direct attack on your bottom line.
Dr Gardner
Q
Richard Starnes: I think this should flow from the board to the C-level executives. Most boards have a risk committee of some sort, and I think the chair of the risk committee would be a natural place for that responsibility to sit, but there has to be somebody who is ultimately responsible. If the board does not take it seriously, the C-levels will not, and if the C-levels will not, the rest of the company will not.
Emily Darlington
Q
Richard Starnes: You just stepped on one of my soapbox issues. I would like to see the code of practice become part of the annual Companies House registrations for every registered company. To me, this is an attestation that, “We understand cyber-security, we’ve had it put in front of us, and we have to address it in some way.”
One of the biggest problems, which Andy talked about earlier, is that we have all these wonderful things that the Government are doing with regard to cyber-security, down to the micro-level companies, but there are 5.5 million companies in the United Kingdom that are not enterprise-level companies, and the vast majority of them have 25 employees or fewer. How do we get to these people and say, “This is important. You need to look at this”? This is a societal issue. The code of practice and having it registered through Companies House are the way to do that. We need to start small and move big. Only 3% of businesses are involved in Cyber Essentials, which is just that: the essentials. It is the baseline, so we need to start there.
David Chadwick
Q
Richard Starnes: Throughout my career, I have been involved in cyber incidents from just about day one. One of the biggest problems that you run into in the first 72 hours, for example, is actually determining whether you have been breached. Just because it looks bad does not mean it is bad. More times than not, you have had indicators of compromise, and you have gone through the entire chain, which has taken you a day, or maybe two or three days, of very diligent work with very clever people to determine that, no, you have not been breached; it was a false positive that was difficult to track down. Do you want to open the door to a regulator coming in and then finding out it is a false positive?
You are also going to have a very significant problem with the amount of alerts that you get with a 24-hour notification requirement, because there is going to be an air of caution, particularly with new legislation. Everybody and his brother is going to be saying, “We think we’ve got a problem.” Alternatively, if they do not, then you have a different issue.
The Chair
If there are no further questions, I thank our witness for his evidence. I will suspend the Committee for a few minutes because our next witnesses, who will give evidence online, are not ready yet.
Dr Spencer
Q
Carla, from the Palo Alto Networks perspective, what are your views on the changes to the incident reporting regime under the Bill? Will the approach help or hinder regulators in identifying and responding to the most serious threats quickly?
Chris Parker: I should point out that Carla is also co-chair of the cyber resilience committee, so you have both co-chairs here today.
As large cyber companies, we are very proud of one thing that is pertinent to the sector that may not be clear to everybody outside. I have worked in many sectors, and this is the most collaborative—most of it unseen—and sharing sector in the world. It has to be, because cyber does not respect borders. When we go to the most vulnerable organisations, which one would expect cannot afford things and therefore there must be a function of price, such as SMEs—I was an SME owner in a previous life—that is very dear to us. With the technology that is available, what is really good news is that when people buy cyber-security for their small business—in the UK or anywhere in the world—they are actually buying the same technology; it is effectively just a different engine size in most cases. There are different phases of technology. There is the latest stuff that is coming in, which they may not be getting into yet. However, the first thing to say is that it is a very fair system, and pricing-wise, it is a very fair system indeed for SMEs.
The second point is about making sure we are aware of the amount of free training going on across the world, and most of the vendors—the manufacturers—do that. Fortinet has a huge system of free training available for all people. What does that give? It is not just technical training for cyber-security staff; it is for ordinary people, including administrative workers and the people who are sometimes the ones who let the bad actor in. There are a lot of efforts. There is a human factor, as well as technological and commercial factors.
The other thing I would like to mention is that the cyber resilience committee, which Carla and I are lucky to co-chair, is elected. We have elected quite a large proportion of SME members. There is also a separate committee run by techUK. You heard from Stuart McKean earlier today, and he is one of the co-chairs, or the vice chair, of that committee.
Carla Baker: On incident reporting, as I am sure you are aware, the Bill states that organisations must report an incident if it is
“likely to have an impact”.
Our view, and I think that of techUK, is that the definition is far too broad. Anything that is likely to cause an impact could be a phishing email that an organisation has received. Organisations receive lots and lots of spoof emails.
I will give an example. Palo Alto Networks is one of the largest pure-play cyber-security companies. Our security operations centre—the hub of our organisation—processes something like 90 billion alerts a day. That is just our organisation. Through analysis and automation, the number is whittled down to just over 20,000. Then, through technology and capabilities, it is further whittled down, so that we are analysing about 75 alerts.
You can equate it to a car, for example. If you are driving and see a flashing yellow light, something is wrong. That is like 20,000 alerts. It is then whittled down to about 75, so we would potentially have to report up to 75 incidents per day, and that is just one organisation. There are a lot more. The burden on the regulator would be massive because there would be a lot of noise. It would struggle to ascertain what is the real problem—the high-risk incidents that impact the UK as a whole—and the noise would get in the way of that.
We have come up with a suggestion, an amendment to the legislation, that would involve a more tiered approach. There would be a more measurable and proportionate reporting threshold, with three tiers. The first is an incident that causes material service disruption, affecting a core service, a critical customer or a significant portion of users. The second is unauthorised, persistent access to a system. The third is an incident that has compromised core security controls—that is, security systems. Having a threshold that is measurable and proportionate is easier for organisations to understand than referring to an incident that is
“likely to have an impact”,
because, as I said, a phishing email is likely to cause an impact if an organisation does not have the right security measures in place.
David Chadwick
Q
Chris Parker: That is an excellent question. The good news is that a lot is happening already. An enormous amount of collaborative effort is going on at the moment. We must also give grace to the fact that it is a very new sector and a new problem, so everybody is going at it. That leads me on to the fact that the UK has a critical role in this, but it is a global problem, and therefore the amount of international collaboration is significant—not only from law enforcement and cyber-security agencies, but from businesses. Of course, our footprints, as big businesses, mean that we are always collaborating and talking to our teams around the world.
In terms of what the UK can do more of, a lot of the things that have to change are a function of two words: culture and harmonisation—harmonisation of standards. It is about trying not to be too concerned about getting everything absolutely right scientifically, which is quite tempting, but to make sure we can harmonise examples of international cyber-standards. It is about going after some commonality and those sorts of things.
I think the UK could have a unique role in driving that, as we have done with other organisations based out of London, such as the International Maritime Organisation for shipping standards. That is an aspiration, but we should all drive towards it. I think it is something the UK could definitely do because of our unique position in looking at multiple jurisdictions. We also have our own responsibilities, not only with the Commonwealth but with other bodies that we are part of, such as the United Nations.
It is not all good news. The challenge is that, as much as we know that harmonisation is okay, unfortunately everyone is moving. Things have started, and everyone is running hot. An important point to make is that it is one of the busiest sectors in the world right now, and everybody is very busy. This comes back to the UK having a particular eye on regulatory load, versus the important part that other elements of our society want, which is growth and economic prosperity. We talked earlier about SMEs. They do not have the capability to cover compliance and regulatory load easily, and we would probably all accept that. We have to be careful when talking about things such as designating critical suppliers.
All of this wraps up into increasing collaboration through public-private partnerships and building trust, so that when the Government and hard-working civil servants want to see which boundaries are right to push and which are not, bodies such as the UK cyber resilience committee, which Carla and I are on, can use those collaborative examples as much as possible.
There is quite a lot there, but something the UK certainly should be pushing to do is culture change, which we know has to be part of it—things have been talked about today by various speakers—as well as the harmonisation of standards.
Carla Baker: I think we are in a really interesting and exciting part of policy development: we have the Bill, and we have recently had the Government cyber action plan, which you may have heard about; and the national cyber action plan is coming in a few months’ time. The Government cyber action plan is internally facing, looking at what the Government need to do to address their resilience. The national cyber action plan is wider and looks at what the UK must do. We are at a really exciting point, with lots of focus and attention on cyber-security.
To address your point, I think there are three overarching things that we should be looking at. First is incentivising organisations, which is part of the Bill and will hopefully be a big part of the national cyber action plan. We must incentivise organisations to do more around cyber-security to improve their security posture. We heard from previous panellists about the threats that are arising, so organisations have to take a step forward.
Secondly, I think the Government should use their purchasing power and their position to start supporting organisations that are doing the right thing and are championing good cyber-security. There is more that the Government can do there. They could use procurement processes to mandate certain security requirements. We know that Cyber Essentials is nearly always on procurement tenders and all those types of things, but more can be done here to embed the need for enhanced security requirements.
Thirdly, I think a previous witness talked about information sharing. There is a bit of a void at the moment around information sharing. The cyber security information sharing partnership was set up, I think, 10 years ago—
Chris Parker: Yes, 10 years ago.
Carla Baker: It was disbanded a couple of months ago, and that has left a massive void. How does industry share intelligence and information about the threats they are seeing? Likewise, how can they receive information about the threat landscape? We have sector-specific things, but there isn’t a global pool, and there is a slight void at the moment.
David Chadwick
Q
Chris Parker: It is a national problem. We have had a lot of discussion on that at the techUK cyber resilience committee. We think it is not just about skills and bunging lots of training at people, because you have to work out cyber as a whole. A very small component of cyber is people at the wonderfully high-tech end, where they are coding and writing software. There are an awful lot of jobs in places out there that a lot of people are just not aware of, and perhaps would therefore not be volunteering or aiming towards it—even at their school. There are lots of jobs in cyber sales, marketing and analysis that do not require a very high level of mathematics, for example. Some of them do not need a very high level of mathematics at all. I think that some awareness needs to be built there.
Personally, I would like to see more championing of the people who are in the sector at the moment. We have some fantastic young men and women in the sector, but we also need to make sure they are able to have chartered status. It is out there, now that we are starting, but it needs to gather pace, because we need to make sure these people are represented and feel professional, so that it can be reflected.
Another thing to mention is that there is a lot of effort in the cyber growth partnership, which is run through DSIT and techUK. It is initiating an idea where people will be lent from industry into academia, to offer inspiration but also to improve lecture quality and standards, because things move fast and we are running so hot. It is very hard for academia to keep up. There is quite a lot that can be done to increase the workforce and skills, but going back to our original points, with greater public-private collaboration and discussion, we will get it absolutely right on focusing on the right places to spend resources.
Dr Spencer
Q
Carla Baker: I think that is part of the issue about not having clear criteria about how regulators will designate. That also means that different regulators will take different approaches, so we would welcome more clarity and early consultation around the criteria that will be used for the regulators to designate a critical dependency, which prevents having different regulatory approaches across the 12 different regulators, which we obviously do not want, and gives greater harmonisation and greater clarity for organisations to know, “Okay, I might be brought in, because those are the clear criteria the Government will be using.”
David Chadwick
Q
Chris Parker: The consultation has been a best effort and I think it is a best effort as a function of three things. First, we have a new sector, a new Bill—something very new, it is not repeating something. Secondly, we are doing something at pace, it is a moving target, we have to get on with this, and so there is some compulsion involved. Thirdly, there are already some collaborative areas set up, such as techUK, that have been used. Would I personally have liked to have seen more? Yes—but I am realistic about how much time is needed; when you only have a certain resource, some people have got to do some writing and crafting as well as discussing.
One thing that we could look at, if we did the process again, would be more modelling, exercising and testing the Bill until it shakes a bit more—that is something that perhaps we could do, if we were to do this again. With the Telecommunications (Security) Act 2021, that was done at length and collaboratively with industry, on a nearly fortnightly basis, for some time. Beyond that, I think that we are realistic in industry because we understand the pressures on the people trying to bring legislation in. A second point to remember is that we are all volunteers. Carla and I, and all those on the Cyber Resilience Committee, volunteer away from our day jobs—which are busy—to do all this. There is a realistic expectation, if you like—but I would say there has been a best effort.
Carla Baker: I would like to look to the future. We have all the secondary legislation that is coming—and there will be lot—so we recommend early insights, and time to review and consult, in order to provide that industry insight that we are happy to provide. Let us look to the secondary legislation and hope that there is good consultation there.
The Chair
If there are no further questions from Members, I will thank the witnesses for their evidence. We will now move on to our final panel.
Examination of Witness
Kanishka Narayan MP gave evidence.
David Chadwick
Q
Kanishka Narayan: As I mentioned at the outset, the scope of the sectors is focused on a specific test: are they essential services, the disruption to which could cause an immediate threat to life or have an extremely significant impact on the day-to-day functioning of the country? I do not mean to diminish the significance of electoral services, but, notwithstanding their significant impact on me as a candidate on election day, the test does not appear to be met.
David Chadwick
Q
Kanishka Narayan: It is absolutely critical that boards take their responsibilities to the organisation and the consequences of being in a regulated sector very seriously. The scope of the Bill has been mentioned. The Secretary of State wrote to FTSE 350 businesses, as well as a range of small businesses, to make that point very clear. The cyber assessment framework has particular requirements for boards to take their cyber-security responsibilities seriously. In the course of implementing the Bill and in the secondary legislation process, we will look to ensure that specified security and resilience activities, including the possibility of specific responsibilities, are set out very clearly.
Mobile Phones and Social Media: Use by Children
David Chadwick Excerpts(2 weeks, 3 days ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Liz Kendall
My right hon. Friend the Education Secretary is leading on the guidance on screen time. I will definitely raise that issue with her. My primary schools are extremely worried about screen time. For children under 5, there are also implications for language development, fine motor skills and communication confidence. All those issues are important, but I will definitely raise the point about the impact on people’s eyes with my right hon. Friend.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Over the past year, I have spoken to hundreds of children in schools across my constituency as part of my safer screens tour. It has been very distressing to hear from them about the material that they have been exposed to, and to hear that social media companies have not come back to them when they have reported this harmful content. If the Secretary of State agrees that there should be a ban on children accessing harmful social media platforms, will the default age for accessing them be 16?
Liz Kendall
The hon. Gentleman knows that I have set out that we will consult on the age of 16, but I remind the House that the Online Safety Act has very strong provisions against illegal content for people of all ages and harmful content for children. We need to make sure that it is effectively enforced now, whatever decision is made through the consultation.
Data (Use and Access) Bill [Lords]
David Chadwick Excerpts(8 months, 4 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Madam Deputy Speaker (Caroline Nokes)
Order. The hon. Gentleman’s time is up.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
I rise to speak in strong support of new clauses 1 and 2.
New clause 1 seeks to raise the age of consent for social media data processing from 13 to 16. As the father of two young boys, I am deeply concerned about the way in which tech platforms engineer addiction, manipulate attention, and shape childhood in ways that parents and even Governments cannot easily counter. This is not hypothetical; it is the reality that our children are living every day. Children aged 13 to 15 are especially vulnerable. Those social media algorithms do not just show content. They shape beliefs, reinforce insecurities and amplify harm. Whether it is body image filters, content promoting self-harm or endless scrolling, these platforms are designed for engagement, not wellbeing.
The new clause would not ban young people from using social media. It simply says that their data should not be exploited for commercial gain without genuine, informed consent. By raising the age to 16 for these specific practices, we align with international best practice and the United Nations convention on the rights of the child. With clear exemptions for education and health platforms, this is a targeted and proportionate reform that prioritises children’s mental health.
New clause 2 deals with copyright compliance and AI. As we all know, the AI revolution is here, but just as we would not let a factory operate by stealing its raw materials from others, we should not let AI models train on copyrighted work, such as books, music or journalism, without permission or payment. The new clause makes one clear demand: if an AI system operates in the UK, it must respect UK copyright law, regardless of where the servers are based. We are standing up for our creators—for the authors, musicians, film-makers and developers whose work gives AI its power. In Wales alone, the creative industries turned over £1.5 billion in 2023, employing more than 37,000 people. Let us not wait for lawsuits or damage to our industries. The new clause provides legal clarity, defends creators, and affirms that Parliament, not silicon valley, writes the rules.
These Liberal Democrat new clauses are principled, practical and long overdue, and I urge all Members to support them.
Data (Use and Access) Bill [Lords]
David Chadwick ExcerptsWednesday 12th February 2025
(11 months, 3 weeks ago)
Commons ChamberRead Full debate Data (Use and Access) Act 2025 View all Data (Use and Access) Act 2025 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 64-I Marshalled list for Third Reading - (4 Feb 2025)
Steff Aquarone
This is absolutely not a pitch to be a member of the Bill Committee, but I would certainly be grateful for the opportunity to implement my views in the design and delivery of Britain’s very own Tiger Leap into the data-driven revolution.
Estonia is a crystal-clear example proving that the results of such a transformation are not just the preserve of tech geeks—a category into which I place myself—but provide tangible benefits for individuals, and not just by making them use digital stuff at the front end, which the hon. Member for Windsor (Jack Rankin) will be glad to hear. I think about the lady in her 90s whose Openreach engineer understandably refused her fibre upgrade because the local council had not shared with them the fact that she used a telecare device. I also think of the farmers who are baffled by the systems used to issue flood recovery payments, because the data is not transparent.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Does my hon. Friend agree that the key to extracting value from datasets is data retrievability?
Steff Aquarone
Absolutely. There are so many layers upon which data governance, data infrastructure and data practices must be established, and data retrievability is one of the things that sit between those layers and the application or interface that uses them.
Creative Industries
David Chadwick Excerpts(1 year ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
When we talk about clusters of excellence, Wales must be at the forefront of the discussion. It is the birthplace of many famous musicians, actors and actresses, and the House can be assured that a steady flow of talent is in pipeline. I know that because last night I took my two sons to their first panto in Brecon, where we saw the Westenders’ performance of “Robin Hood”—a community show, like many across the country, that brings people together as only the arts can.
Whenever I go to these shows, I notice the volunteers who sacrifice endless hours to make sure that the show goes ahead. People spend a whole month washing all the costumes that people wear during the performances. As far as I am aware, washing a whole cast’s kit is something that AI cannot yet do. That is why it is so important that we listen to the people at the grassroots of our creative industries, who face similar challenges across the country.
We have heard that small towns across the UK—Brecon is certainly up there—can provide a big stage for upcoming talent. It is important to keep developing that talent pipeline. Sadly, the Welsh Government have proposed a 9% cut to the Arts Council’s revenue budget for 2024-25, which would come on top of a 10.5% cut the year before, leaving the revenue budget at its lowest since 2007-08. That reduction will put further strain on an already vulnerable sector.
As we heard from the hon. Member for Caerfyrddin (Ann Davies), the creative industries are a powerful force in Wales, contributing more than 5% to our GDP and growing faster than the overall economy. With more than 35,000 people employed in the sector and a turnover of £1.5 billion in 2023-24, it is clear how vital the creative industries are to the Welsh economy. Film and television have been a massive success story. Wales is a global powerhouse in the UK’s media landscape, with shows such as “Gavin & Stacey” showcasing our talent to millions; over 19 million people watched the final this Christmas. Rob Brydon and Ruth Jones, we commend you. It is time for my humblebrag: my mum went to Porthcawl comprehensive school with them both.
The time for action to improve the arts is now. I am glad that the Government are talking about their plans for a better deal for the arts across the UK. We must make sure that includes Wales. The Welsh creative industries, especially our music and arts sector, must receive the support and investment that they need to survive and thrive. Clearly, we have the talent and the potential, but we need meaningful long-term policies and investment to ensure that the sector continues to grow and flourish for future generations.
As we have heard, the creative industries are a vital growth mechanism for the rural economy. That is why I am calling for a creative enterprise zone to be established in Brecon, Radnor and Cwm Tawe, to give a platform and all the help we can to the creative artists and musicians across my constituency.
Chris Bryant
I have already had several conversations with the owners. It is a brilliant facility. As I said in my first speech today, we have a large number of studios. Incidentally, I am delighted that we launched the Labour campaign for Earley and Woodley just outside those studios. That obviously brought us good luck. Of course, I am happy to visit when time allows.
I am not sure that I will be able to answer every single question that has been asked, but there was one subject that exercised quite a lot of Members: access for all to the arts and creative industries.
David Chadwick
I thank the Minister for giving way; it is very gracious of him. Many young farmers in Wales have told me that they would love to watch the output of the UK creative sector, particularly on Netflix, but they cannot. They are not able to download Netflix because their broadband is not good enough. What would the Minister advise them to do?
Chris Bryant
They should get in touch with the Telecoms Minister, but unfortunately he is rubbish. That is me. I am very happy to talk about the broadband issues in the hon. Gentleman’s constituency at any point, and if he wants a meeting with Building Digital UK, we can go through the specifics area by area. I have offered that to as many Members as I can.
Getting back to the creative industries, my hon. Friend the Member for Stoke-on-Trent Central (Gareth Snell) was channelling his inner Frank Sinatra; he basically said, “If we can make it here, we’ll make it anywhere.” He made a very good point: we need to make sure that creativity is perceived not as something that we see only in the big cities of this country, but as something that we need to exercise in every single part of the country. My hon. Friend the Member for Barking (Nesil Caliskan) made a very similar point about her constituency. My hon. Friend the Member for Leigh and Atherton (Jo Platt) made precisely that point—that creativity is not just about cities, but towns—as did my hon. Friend the Member for Hexham (Joe Morris).
The hon. Member for Guildford (Zöe Franklin) said, “If only we could recruit from not just one demographic.” I feel that so strongly. Perhaps the most famous actor from my constituency was Sir Stanley Baker from Ferndale, famous for “Zulu”, a film that every Welsh person has to watch about 52 times a year. Bringing people into the creative industries from every demographic is a really important part of what we need to do.